Information Assurance (Supply Chain) - Manager

Location: Birmingham, Manchester, Leeds, Watford, Reading or Bristol

Role Description: The Information Assurance team is the 2nd Line of Defence, ensuring KPMG manages information security and data privacy risk and compliance in line with legislative, regulatory & client obligations, enabling the trust and growth agenda. As an Information Assurance Manager, you will be responsible for the delivery of the supply chain risk and assurance compliance programme. You will collaborate with teams across the firm to navigate complexities of the supply chain and ensure suppliers are compliant with KPMG security and data protection and privacy requirements, helping to minimise risk to our employees, clients and audited entities. The Information Assurance Manager will apply their supply chain risk and assurance skills to perform all relevant duties as part of the Information Assurance team.

Key Responsibilities:

• Act as a trusted advisor to stakeholders, providing accurate, appropriate, timely assurance information regarding the KPMG supply chain across capabilities and firmwide.
• Identify emerging trends and issues with the KPMG supply chain to shape and inform the KPMG risk posture.
• Support the development and implementation of the annual service roadmap aligned to KPMG strategic goals and ambitions.
• Develop the annualised audit schedule, applying a risk-based approach, proactively adapting the schedule to accommodate emerging risks or strategic requirements.
• Be proactive in identification of continuous improvements to foster positive change within the Information Assurance team, seeking innovative solutions to enhance practices.
• Deliver the 2nd LoD Supply Chain audit activity to monitor supply chain compliance against regulatory, client, global and local policy & standard requirements, including ISO27001.
• Ensure that all supplier contracts include standardised Information Security and Data Privacy statements.
• Define and report on Supply Chain Assurance metrics, providing insights into compliance and risk, highlighting areas for improvement.
• Log all findings in the GRC tooling, track, review and monitor remediation results and associated evidence, signing off closure where appropriate.
• Ensure all findings are linked to risks and the supply chain risk posture is documented and understood.
• Proactively work with finding owners to ensure remediation action plans are defined and delivered in a timely manner.
• Provide analysis and thematic reviews and consolidation of findings and recommend risk treatment plans to reduce risk for the firm.
• Ensure audit work is documented in accordance with business standard and fully supports conclusions and overall opinion through 1st / 2nd level reviews.
• Coach, performance manage and develop a team across multiple geographies.
• Monitor the activities of the audit team to ensure that all work is delivered to a high standard.
• Lead and conduct other Information Security & Privacy audit activity on behalf of KPMG (i.e. SOC2).

Skills and experience required:

• Excellent management capability at a manager level, with the ability to motivate teams in multiple locations to deliver an exceptional service.
• Outstanding stakeholder management skills, the ability to collaborate and develop relationships internally and externally.
• Strong experience advising on supply chain matters, with appropriate background in developing and implementing supply chain risk and assurance frameworks.
• Excellent audit management capability, with an ability to quality check auditors.
• Solid working knowledge of ISO27001, Cyber Essentials/ Cyber Essentials Plus, NIST Cybersecurity Framework, CIS, SOC2, Data Protection (UK GDPR, DPA, PECR) and experience of operational implementation.
• Good understanding of ancillary frameworks (EU AI Act, UK AI Frameworks).
• Experience of maturing processes to deliver service improvements.
• Excellent analytical and reporting skills, using presentation tools to present complex information with exceptional attention to detail.
• Excellent communication skills, both written and verbal.
• Well organised and able to maintain a high workload efficiently at a consistently high standard and manage the workload of a multi geolocated team.
• Strong knowledge of information security controls.
• Experience of implementation and working with GRC tools (ServiceNow) and supplier management tools (Coupa, Bitsight).
• Understanding of a 3 lines of defence model (risk & assurance).
• Be highly motivated and able to work independently.

Additional Requirements:

• Significant experience in information security and supply chain risk and assurance.
• Certifications in information security, such as CISM, CISMP, CISSP.